From 499fd673befa6fed6bd0e542d9bb06cb49bd150e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 11 Apr 2019 11:40:11 +0200
Subject: [PATCH 198/208] s3:param: Only allow SMB 3.0+ for DCERPC client
 connections over named pipes

We need an AES encrypted transport as some RPC services only encrypt
secrets using RC4, e.g. password changes over SAMR.

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 source3/param/loadparm.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index b52e2bcb036..c1d02cf5bc6 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -4614,6 +4614,15 @@ int lp_client_max_protocol(void)
 int lp_client_ipc_min_protocol(void)
 {
 	int client_ipc_min_protocol = lp__client_ipc_min_protocol();
+
+	/*
+	 * If weak crypto is not allowed, force at least SMB3 which offers AES
+	 * encrypted connections.
+	 */
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return MAX(client_ipc_min_protocol, PROTOCOL_SMB3_00);
+	}
+
 	if (client_ipc_min_protocol == PROTOCOL_DEFAULT) {
 		client_ipc_min_protocol = lp_client_min_protocol();
 	}
-- 
2.23.0